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Subject: Transportation Security Administration's Processes for Designating and 
Releasing Sensitive Security Information 

Since the September 11, 2001, terrorist attacks, federal agencies have faced the challenge of 
protecting sensitive information from terrorists and others without a need to know while 
sharing this information with parties who are determined to have such a need. One form of 
protection involves identifying and marking such information sensitive but unclassified — 
information that is generally restricted from public disclosure but not designated as classified 
national security information. 

As part of post-September 11 efforts to better share information critical to homeland 
protection, sensitive but unclassified information has undergone scrutiny by Congress and 
GAO. In March 2006, we reported results from our survey of 26 federal agencies, from which 
we found that most of the agencies lacked policies and procedures for designating and 
releasing sensitive but unclassified information. As a result, we recommended 
governmentwide implementation of (1) guidance for determining what information should be 
protected with sensitive but unclassified designations, (2) provisions for training on making 
designations and for controlling and sharing information with other entities, and (3) a review 
process to determine how well the program is working. 1 



1 GAO, Information Sharing: The Federal Government Needs to Establish Policies and Processes for 
Sharing Terrorism-related and Sensitive but Unclassified Information, GAO-06-385 (Washington, 
D.C.: Mar. 17, 2006). 
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The Department of Homeland Security's (DHS) Transportation Security Administration 
(TSA) requires that certain information be protected from public disclosure as part of its 
responsibility for securing all modes of transportation. TSA, through its authority to protect 
information as sensitive security information (SSI), prohibits the public disclosure of 
information obtained or developed in the conduct of security activities that, for example, 
would be detrimental to transportation security. According to TSA, SSI may be generated by 
TSA, other DHS agencies, airports, aircraft operators, and other regulated parties when they, 
for example, establish or implement security programs or create documentation to address 
security requirements. 

In February 2005, TSA established its SSI office to develop and implement TSA policies 
concerning the handling, training, and protection of such information. Through this office, 
TSA has established regulations that allow for the sharing of SSI with covered persons having 
a need to know — including airport and aircraft operators, foreign vessel owners, and TSA 
employees. 2 If, however, persons who do not otherwise have a need to know request access 
to SSI, TSA may share or release such information if it determines the information no longer 
requires protection as SSI. Also, in the course of a civil proceeding, a requesting party or the 
party's attorney may be granted access to SSI after being cleared through a background 
check. This is permissible if the party has established that it has a substantial need for 
relevant SSI and that it is unable, without undue hardship, to obtain the substantial equivalent 
by other means. Furthermore, TSA or the judge in the civil proceeding must determine that 
the sensitivity of the information at issue does not present a risk of harm to the nation. 

Congress has had ongoing interest in whether TSA is consistently and appropriately 
designating information as SSI and balancing the trade-off between the need to protect SSI 
and the need to provide useful information to the public. Section 525 of the DHS 
Appropriations Act, 2007 (Public Law 109-295), required the Secretary of DHS to revise 
Management Directive (MD) 11056, which establishes DHS policy regarding the recognition, 
identification, and safeguarding of SSI, to (1) review requests to publicly release SSI in a 
timely manner and establish criteria for the release of information that no longer requires 
safeguarding; (2) release certain SSI that is 3 years old, upon request, unless it is determined 
the information must remain SSI or is otherwise exempt from disclosure under applicable 
law; and (3) provide common and extensive examples of the 16 categories of SSI (see app. I 
for a list of the categories) to minimize and standardize judgment by persons identifying 
information as SSI. 3 The law further prescribed steps that must be taken during the course of 
a civil proceeding in the U.S. District Courts to provide a party with access to relevant SSI. 
This provision also required us to report to the Committees on Appropriations of the Senate 
and House of Representatives on DHS's progress and procedures in implementing these 
requirements not later than 1 year from the date of the law's enactment (October 4, 2006). 

In addition to answering this mandate, we are following up on a June 2005 report in which we 
recommended that DHS direct the Administrator of TSA to establish (1) guidance and 
procedures for using TSA regulations to determine what constitutes SSI, (2) responsibility for 
the identification and determination of SSI, (3) policies and procedures within TSA for 



2 "Covered person" is defined at 49 C.F.R. § 1520.7 and includes persons permanently or temporarily 
assigned, attached, or detailed to, employed by, or under contract with DHS. Section 1520.11 
establishes the circumstances under which a person has a need to know SSI, such as when a person 
requires access to specific SSI to carry out transportation security activities approved, accepted, 
funded, recommended, or directed by DHS or the Department of Transportation. 

3 See Pub. L. No. 109-295, § 525, 120 Stat. 1355, 1381-82 (2006). 
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providing training to those making SSI determinations, and (4) internal controls 4 that define 
responsibilities for monitoring compliance with SSI regulations, policies, and procedures and 
communicate these responsibilities throughout TSA. 5 

To respond to the mandate and update the status of all four of our recommendations, we 
assessed DHS's 

• status in establishing criteria and examples for identifying SSI; 

• efforts in providing training to those that identify and designate SSI; 

• processes for responding to requests to release SSI, including the legislative mandate 
to review various types of requests to release SSI; and 

• efforts in establishing internal controls that define responsibilities for monitoring SSI 
policies and procedures. 

To address these objectives, we reviewed applicable DHS management directives, policies 
and procedures, and other related documents, and interviewed TSA and DHS officials 
involved in, the SSI designation, training, document review, and oversight processes. While 
our review focused on the policies and procedures developed by TSA, we also interviewed 
officials involved in the SSI designation, training, document review, and oversight processes 
for four other DHS components to better understand the use of SSI throughout DHS. We 
compared the internal controls in place with the standards for internal control in the federal 
government to determine whether TSA's internal controls are designed to provide reasonable 
assurance that monitoring exists to help ensure compliance with SSI regulations, policies, 
and procedures. 6 We also used as criteria GAO-developed core characteristics of a strategic 
training program to assess whether TSA has created and implemented the training necessary 
for staff to make SSI determinations. ' We determined that the data were sufficiently reliable 
for the purposes of our review. We based our decision on an assessment of existing 
documentation on program operations and interviews with knowledgeable officials about the 
source of the data and TSA's policies and procedures for collecting and maintaining the data. 

On October 4, 2007, we provided a copy of our briefing slides to your staff. This report 
conveys the information that was provided in these slides 
(see app. I). 

We conducted our work from May 2007 through October 2007 in accordance with generally 
accepted government auditing standards. 



4 Internal control is an integral component of an organization's management that provides reasonable 
assurance that the following objectives are achieved: (1) effectiveness and efficiency of operations, (2) 
reliability of financial reporting, and (3) compliance with applicable laws and regulations. 
D See GAO-05-677, Transportation Security Administration: Clear Policies and Oversight Needed for 
Sensitive Security Information (Washington, D.C.: June 29, 2005). 

6 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-2 1.3.1 (Washington, 
D.C.: November 1999). 

' GAO, A Guide for Assessing Strategic Training and Development Efforts in the Federal 
Government, GAO-04-546G (Washington, D.C.: March 2004). 
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Results 



DHS, primarily through TSA's SSI Office, has addressed all of the legislative mandates from 
the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations 
from our June 2005 report. 

DHS revised its MD to address the need for updating SSI guidance, and TSA has established 
more extensive SSI criteria and examples that respond to requirements in the DHS 
Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and 
procedures for using TSA regulations to determine what constitutes SSI. Further, TSA has 
documented the criteria and examples in various publications to serve as guidance for 
identifying and designating SSI. TSA has also shared its documentation of the criteria and 
examples with other DHS agencies. For example, the U.S. Coast Guard and U.S. Customs and 
Border Protection either have developed or are in the process of developing their own SSI 
examples to correspond with the types of SSI that their agencies encounter. Additionally, 
officials we interviewed from other DHS components have recognized opportunities to adapt 
TSA's criteria to their offices' unique needs. Furthermore, TSA has appointed SSI 
coordinators at all program offices to, among other things, implement SSI determination 
policy. This action responds to our 2005 recommendation that TSA establish responsibility 
for identifying and determining SSI. 

TSA's SSI Office is in the process of providing SSI training to all of TSA's employees and 
contractors in accordance with its recently established policies and procedures, an action 
that responds to our 2005 recommendation. The office uses a "train the trainer" program in 
which it instructs SSI program managers and coordinators who are then expected to train 
appropriate staff in their respective agencies and programs. Several aspects of the SSI 
training program that we evaluated are consistent with GAO-identified components of a 
strategic training program. TSA has taken actions to incorporate stakeholder feedback and 
establish policies to collect data to evaluate its training program and foster a culture of 
continuous improvement. For example, the SSI Office assesses the accuracy of the 
designations made by various DHS agencies and contacts the agencies, when necessary, to 
correct any problems. Additionally, TSA has taken action to coordinate training activities 
within and among DHS agencies. For instance, the SSI Office shares its guidance with other 
DHS components so that program managers can create customized training programs that 
will meet the needs of their staff. 

Consistent with the legislative mandate, DHS has taken actions to update its processes to 
respond to requests to release SSI. Specifically, DHS revised MD 11056 in accordance with 
the DHS Appropriations Act, 2007, to incorporate a provision that all requests to publicly 
release SSI will be reviewed in a timely manner, including SSI that is at least 3 years old. 
Between February 2006 and January 2007, the SSI Office received 490 requests to review 
records pertaining to the release of SSI, the majority of which came from government entities 
(62 percent). The SSI Office worked with the requesting government entity to agree upon a 
time frame for processing the request. Within the same 12-month period, 30 percent of 
requests were initiated by the public under the Freedom of Information Act (FOIA). 8 The SSI 
Office has established a process for reviewing information requested through the FOIA 
process in 5 days, unless the information consists of more than 100 pages. The remaining 8 
percent of requests within the 12-month period came from individuals in connection with 
litigation, including civil proceedings within the U.S. District Courts. According to TSA, 



The Freedom of Information Act is the primary process for releasing information to (and for 
withholding information from) information to the public, as appropriate. See 5 U.S.C. § 552. SSI, by 
statute, is exempt from disclosure under FOIA. 
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parties have sought SSI in nine civil proceedings since the enactment of the DHS 
Appropriations Act, 2007, in October 2006. In one such proceeding, the litigant requested that 
TSA make a final determination on the request for access to SSI. TSA, in accordance with the 
law, made a final determination in which it released some of the requested SSI but withheld 
other SSI because of the sensitivity of the information or because it was not relevant to the 
litigation. TSA's SSI Office stated that all information that is at least 3 years old that does not 
warrant continued protection as SSI is released upon request. The SSI Office uses a 
controlled access database to document the completion of its steps in reviewing requests to 
release SSI, which serves as a quality control mechanism. 

The internal controls that TSA designed for SSI are consistent with governmentwide 
requirements and respond to our 2005 recommendation. For example, standards for internal 
controls in the federal government state that areas of authority and responsibility be clearly 
defined by a supportive management structure and that controls be in place to ensure that 
management's directives are carried out. The revised DHS MD 11056 outlined areas of 
authority for the monitoring of and compliance with SSI policy. Further, the MD established 
managers and coordinators within DHS agencies and programs, respectively, to communicate 
SSI responsibilities to DHS staff. Standards for internal controls in the federal government 
also call for monitoring activities to assess the quality of program performance over time and 
ensure that problems raised during quality reviews are promptly resolved. TSA program 
managers and coordinators are required to periodically complete self-inspections on the use 
of SSI for their respective office or agency. 

Agency Comments 

We provided a draft of this report to DHS for review and comment. DHS did not submit any 
formal comments. However, TSA provided technical comments and clarifications, which we 
incorporated, as appropriate. 



We are sending copies of this report to other interested congressional committees and to the 
Secretary of the Department of Homeland Security and the Administrator of the 
Transportation Security Administration. We will also make copies available to others upon 
request. In addition, the report will be available at no charge on GAO's Web site at 
http ://www.gao. gov . 

If you or your staff have any questions concerning this report, please contact me at (202) 
512-6510 or by e-mail at Larencee@gao.gov . Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this report. Key contributors to 
this report were Glenn Davis, Assistant Director; Brian Sklar; Nicole Harris; Thomas 
Lombardi; Katherine Davis; Carolyn Ikeda; and Michele Fejfar. 




Eileen R. Larence, Director 
Homeland Security and 
Justice Issues 
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GAO 



Introduction 



After the terrorist attacks of September 1 1 , 2001 , the Aviation and 
Transportation Security Act (ATSA) was enacted on November 19, 
2001 , with the primary goal of strengthening the security of the 
nation's aviation system; 

ATSA created TSA as the agency responsible for the security of all 
modes of transportation and extended most civil aviation security 
responsibilities, including authority to designate Sensitive Security 
Information, from the Federal Aviation Administration (FAA) to TSA; 
and 

TSAs SSI authority is codified at 49 U.S.C. § 1 14(s) and its SSI 
regulations are codified at 49 C.F.R. part 1520. 
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Introduction 



SSI constitutes one category of "Sensitive but Unclassified" (SBU) 
information - information generally restricted from public disclosure but that 
is not classified national security information. 

• SSI is an SBU category specifically required by statute (other 
examples include Protected Critical Infrastructure Information and 
Privacy Act information). 

• Categories of SBU information not specifically mandated by statute 
include For Official Use Only and Law Enforcement Sensitive 
Information. 

The Freedom of Information Act (FOIA) is the primary process for releasing 
information to (and for withholding information from) the public, as 
appropriate. See 5 U.S.C. § 552. SSI, by statute, is exempt from disclosure 
under FOIA. 
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Introduction 



TSA, through its SSI authority, prohibits the public disclosure of information 
obtained or developed in the conduct of security activities that would be 
detrimental to transportation security. 

According to TSA, SSI is generated by TSA, other DHS agencies, airports, 
aircraft operators, and other regulated parties, when they are establishing 
or implementing security programs or documentation to address security 
requirements. 

SSI regulations allow for the sharing of SSI with covered persons having a 
need to know-including airport operators, aircraft operators, foreign vessel 
owners, TSA employees, and other persons. 1 

According to TSA, safeguarding information as SSI allows controlled 
information sharing with covered persons to meet TSA's mission to protect 
the nation's transportation systems. 



"Covered person" is defined at 49 C.F.R. § 1520.7 and includes persons permanently or temporarily assigned, attached, or detailed to, 
employed by, or under contract with DHS. Section 1520.11 establishes the circumstances under which a person has a need to know SSI, 
:h as when a person requires access to specific SSI to carry out transportation security activities approved, accepted, funded, 
immended, or directed by DHS or the Department of Transportation. 
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Introduction 



TSA's SSI Office: 



Was established in February 2005 to develop and implement TSA policies 
concerning SSI handling, training, and protection. 

Provides guidance and training to other DHS agencies that use SSI, such as 
U.S. Customs and Border Protection, and serves as the Chair of the SSI 
Oversight Committee, which meets monthly to share SSI guidance and best 
practices. 

Reviews requests for SSI, including FOIA requests that might contain SSI. 

Is not responsible for ensuring the appropriate use of SSI markings by other 
DHS agencies. The exception to this rule occurs when the SSI Office is asked 
by other agencies to assist in responding to a request to release SSI. In such 
cases, the SSI Office reviews the information and provides a determination to 
the other agency as to whether the information has been appropriately marked 
as SSI. 
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Introduction 



There is ongoing congressional interest in whether TSA is applying 
the SSI criteria consistently and appropriately and balancing the 
trade-off between the need to protect SSI and the need to provide 
useful information to the public. 

One example of an instance is when an individual might seek SSI in 
connection with a civil proceeding in a U.S. District Court. TSA will 
make an initial determination on whether the party has a substantial 
need for any of the specific SSI to which access is sought and 
whether the sensitivity of the issue is such that any provisions of 
access would present a risk of harm to the nation. 



Page 8 



GAO-08-232R Transportation Security Administration 



k GAP 

Accountability ' Integrity • Reliability 



Introduction 



Section 525 of the DHS Appropriations Act, 2007 (Public Law 1 09-295), requires the Secretary of 
DHS to revise Management Directive (MD) 1 1056-which establishes the department's policy 
regarding the recognition, identification, and safeguarding of SSI-to provide for the following: 2 

• review requests to publicly release SSI in a timely manner and release information that no 
longer requires safeguarding as SSI; 

• release certain SSI that is 3 years old upon request unless it is determined the information 
must remain SSI or is otherwise exempt from disclosure under applicable law; and 

• provide common and extensive examples of the 16 categories of SSI (see attachment 1 for 
a list of the categories) to minimize and standardize judgment by persons identifying 
information as SSI. 

The law further prescribes steps that must be taken during the course of a civil proceeding in the 
U.S. District Courts when a party seeking access to SSI demonstrates a substantial needlor the 
information and cannot, without undue hardship, obtain the substantial equivalent of the 
information by other means. 

This law also requires GAO to report to the Committees on Appropriations of the Senate and the 
House of Representatives on DHS progress and procedures in implementing these requirements 
not later than 1 year from the date of enactment of the Act (October 4, 2006)This briefing 
responds to that mandate. 

2 See Pub. L No. 109-295, S 525, 120 Stat 1356, 1381-82 (2006). 




In June 2005, 3 we recommended that DHS direct the Administrator of TSA 
to establish: 

• guidance and procedures for using TSA regulations to determine what 
constitutes SSI; 

• responsibility for the identification and determination of SSI; 

• policies and procedures within TSA for providing training to those 
making SSI determinations; and 

• internal controls that define responsibilities for monitoring compliance 
with SSI regulations, policies, and procedures and communicate these 
responsibilities throughout TSA. 

a See GAO-05-677, Transportation Security Administration: Clear Policies and Oversight Needed for Sensitive Security Information 
(Washington, D.C: June 29, 2005). f 
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Objectives 



To respond to the mandate and update the status of our 
recommendations, we established four objectives. Specifically, we 
assessed DHS's: 

1 . status in establishing criteria and examples for the identification of 
SSI , 

2. efforts in providing training to those that identify and designate SSI; 

3. processes for responding to requests to release SSI, including the 
legislative mandate to review various types of requests to release 
SSI; and 

4. efforts in establishing internal controls that define responsibilities for 
monitoring SSI policies and procedures. 



AGAO 

=™ Accountability ■ Integrity ■ Reliability 



Scope and Methodology 



To address the objectives we: 

• reviewed applicable DHS management directives, 
policies and procedures, and other documents related to 
SSI designation, training, document review, and the 
oversight process, and 

• interviewed TSA and DHS officials involved in the SSI 
designation, training, document review, and oversight 
process. 



10 
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Scope and Methodology 



Our review focused on the policies and procedures developed by TSA's SSI Office, but we also 
interviewed officials from four additional DHS agencies to better understand the use of SSI 
throughout DHS. 

We compared the internal controls in place with the standards for internal control in the federal 
government to determine whether TSA's internal controls are designed to provide assurance that 
monitoring is in place and a control environment and activities have been established. 4 

We also used as criteria GAO-developed core characteristics of a strategic training program to 
assess whether TSA has created and implemented the training necessary for staff to make SSI 
determinations. 5 

We determined that the data were sufficiently reliable for the purposes of our review. We based 
our decision on an assessment of existing documentation on program operations, and interviews 
with knowledgeable officials about the source of the data and TSA's policies and procedures for 
collecting and maintaining the data. 

We conducted our work from May 2007 through October 2007 in accordance with generally 
accepted government auditing standards. 



4 GAO, Standards for Internal Control In the Federal Government, GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999). 

AO, A Guide for Assessing Strategic Training and Development Efforts in the Federal Government, GAO-04-546G (Washington, D.C: "I "I 
h 2004). 
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Results in Brief 



TSA has established SSI criteria and examples, and several DHS 
agencies have recognized opportunities to adapt the SSI criteria to 
their unique needs: 

• DHS revised its MD to address the need for SSI criteria and examples 
in accordance with the law. 

• TSA has shared its documentation of SSI criteria and examples with 
other DHS agencies to help them identify and designate SSI. 6 

• Officials we interviewed from DHS agencies that work with or generate 
SSI products stated that they have developed, or are in the process of 
developing, their own SSI examples to correspond with the types of 
SSI that their agencies encounter. 

6 1 n the context ot this research, we use the term "designate" to include the identification and marking of information as SSI. It should be noted that 
the SSI Office uses the term "designate" to mean an original SSI determination in writing. See 49 C.F.R. § 1520.5(b)(9)(iii), (16). Under the DHS -|2 
inly the DHS Secretary, the TSA Administrator, and the Director of the SSI Office have the authority to designate SSI. 
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Results in Brief (cont'd) 



TSA is providing SSI training^ and aspects of the training program are 
consistent with several GAO-identified components of a nigh-quality 
training program: 

• The SSI Office has developed an SSI training program and has shared this 
program with DHS agencies that use and generate SSI. 

• TSA documentation from mid-September 2007 shows that 93.5 percent of TSA 
personnel {all employees and contractors) assigned to headquarters and 95.5 
percent of TSA personnel assigned to airports nave completed online SSI 
training. 7 

• The SSI Office uses a "train the trainer" model in which it trains SSI program 
managers and coordinators who are then expected to train appropriate staff in 
their agency. 

• Several aspects of the SSI training program are consistent with GAO-identified 
components of a high-quality training program. For example, TSA is soliciting 
feedback to evaluate the quality of the SSI training that it is providing. 



7 The SSI Office slated that all TSA employees have not completed the online SSI training because of normal attrition, military leave, and 
disability leave. -| 3 
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Results in Brief (cont'd) 



TSA has policies and procedures to respond to all three types of SSI 
requests, and a mechanism is in place to document its processes: 

• The SSI Office has a procedure in place to respond to requests from 
government entities, FOIA-related requests, and requests stemming 
from civil proceedings. 

• TSA plans to publish a Notice of Proposed Rulemaking to articulate 
the process for providing SSI to parties in connection with civil 
proceedings in U.S. District Courts. 

• The SSI Office has a process for recording its steps when reviewing 
requests to release SSI that serves as a quality control mechanism. 



14 
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Results in Brief (cont'd) 



TSA has established internal controls for SSI and created 
mechanisms to communicate these controls, which are consistent 
with internal control standards for the federal government: 8 

• DHS revised its MD to define responsibilities for monitoring the 
compliance with SSI regulations, policies, and procedures. 

• The MD establishes SSI program managers and coordinators to 
communicate SSI responsibilities with staff in their respective offices 
and agencies. 

• Various tools are used to monitor the compliance with SSI regulations, 

golicjes, and procedures including self-inspections w agency audits, and 
SI Office reviews based on requests to release SSI. 

• The internal controls TSA designed for monitoring compliance with SSI 
regulations, policies, and procedures are consistent with internal 
control standards for the federal government. 

» GAO/AIMD-00-21.3.1. 
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Objective #1 -Criteria and Examples for the 
Identification of SSI 

DHS revised MD 1 1056 in accordance with section 525 of the DHS 
Appropriations Act 2007, to address the need for common and extensive 
examples of individual categories of SSI. In response to this mandate, as 
well as GAO's past recommendation, DHS issued a revised MD (MD 
1 1 056. 1 ) and the TSA SSI Office issued the following guidance: 

• Advanced Application Guide : provides SSI criteria and examples for 
each ot the categories, 

• One-Page Summary List of SSI Criteria : provides SSI criteria and 
explanatory notes tor each category, 

• SSI Identification Guides: provide guidance for identifying SSI within 
the context ot specific DHS programs, and 

• SSI Reviewers' Guide: provides a more detailed version of the 
Advanced Application Guide that SSI Office analysts use to review 
requests for SSI. 



16 
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Objective #1 -Criteria and Examples for the 
Identification of SSI 



• TSA has shared its SSI criteria and examples with other DHS agencies to 
help them identify and designate SSI. 



• Officials we interviewed from DHS agencies that work with or generate SSI 
products stated that they have developed, or are in the process of 
developing, their own SSI examples to correspond with the types of SSI 
that their agencies encounter. For example: 

• U.S. Coast Guard worked with the SSI Office to develop an SSI 
Identification Guide that provides examples of the application of SSI 
criteria to documents generated by the Coast Guard; and 

• U.S. Customs and Border Protection has identified the need to create 
its own SSI Identification Guide and is currently working with the SSI 
Office to create the guidance. 
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Objective #1 -Criteria and Examples for the 
Identification of SSI 

• Using the SSI criteria and examples provided by the SSI Office DHS agencies that use SSI 
identify certain records as containing SSI. Section 537 of the DHS Appropriations Act, 2006 
(Public Law 1 09-90), enacted October 2005, mandated that DHS provide an annual list of all 
DHS documents that are designated SSI in their entirety for the period October 1 , 2005, through 
December 31 , 2005. Beginning on January 31 , 2007 (and annually thereafter), the DHS 
Secretary is to provide a report on all documents designated SSI in their entirety for the prior 
calendar year. Therefore, the report provided to Congress in 2006 covered a 3-monthperiod (it 
was due no later than January 31 , 2006), whereas the report provided in January 2007covered 
the entire prior calendar year, 2006. 

• There were 1 1 8 documents in the report provided by DHS in 2007. 9 Below are the DHS agencies 
that generated documents from the 2006 list and their relative percentage of documents 
generated: 

• Coast Guard (50 percent), 

• Office of Science and Technology (37 percent), and 

• TSA (13 percent). 

• As a result of policy updates made by the SSI Office 282 documents generated by TSA 
determined to be SSI in their entirety as reported to Congress in 2006 no longer met the criteria 
for continued SSI protection in their entirety. Therefore, if requested, some ofthe information 
contained in these documents could be publicly released. The removal of the 282 documents 
also helps to explain the smaller number of SSI documents DHS reported to Congress in 2007, 
particularly from TSA. 

a According to the report DHS provided to Congress in 2007, U.S. Customs and Border Protection did not report any documents that it 
generated and determined were SSI in their entirety. -| g 
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Objective #2-Training for Those Who 
Generate and Use SSI 



In response to GAO's recommendation to provide training to staff that 
generate SSI, TSA: 

• Requires new employees to take 60-minute online SSI training within 
the first week of employment. TSA documentation from mid- 
September 2007 shows that 93.5 percent of TSA personnel (all 
employees and contractors) assigned to headquarters and 95.5 
percent of TSA personnel assigned to airports nave completed the 
online training or completed the live training. 10 

• Provides recurring training to SSI coordinators from offices within DHS 
agencies that use SSI. 

• Provides 60-minute live training to TSA and selected DHS employees. 

• Develops specialized training for TSA contractors, SSI coordinators, 
and others as needed. 

10 TSA documentation shows that 3,097 out of 3,309 TSA personnel in headquarters and 49,626 out of 51 ,930 personnel assigned to 
airports have completed online SSI training. -| | 
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Objective #2-Training for Those Who 
Generate and Use SSI 



Although the SSI Office provides training to all SSI program managers and 
coordinators from the DHS agencies that use or generate SSI, the program 
manager from each DHS agency that handles SSI is responsible for 
customizing and evaluating the sufficiency of his or her SSI training to meet 
the agency's unique program needs. 

The SSI Office is utilizing a "train the trainer" model in which it trains SSI 
program managers and coordinators who are then expected to tailor the 
materials to train the appropriate staff in their agency or office. 
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Objective #2-Training for Those Who 
Generate and Use SSI 

TSA's training and development efforts reflect the following core characteristics that 
GAO has identified for a strategic training process: 11 

Stakeholder Involvement. Accountability, and Recognition : incorporate 
stakeholder feedback throughout the training process and establish accountability 
mechanisms to hold managers and employees responsible for learning in new ways. 

• The SSI Office collects stakeholder feedback on its training program through 
traininq_evaluation forms, its e-mail address, over the phone, and throuqh the 
DHS SSI Oversight Committee. 

• In an attempt to establish accountability for whether training has led to accurate 
SSI identifications, the SSI Office requires program managers and coordinators 
to complete self-evaluations that include evaluations of a selection of SSI 
designations in their respective office or agency. 

• SSI coordinators are required to complete a self-inspection every 12 months, 
and SSI program managers are required to complete a self-inspection every 18 
months. 
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Objective #2-Training for Those Who 
Generate and Use SSI 



Effective Resource Allocation and Partnerships and Learning from 
Others : provide the appropriate level of funding and resources to ensure 
that training is achieving its missions and goals, and coordinate within and 
among agencies to achieve economies of scale. 

• The creation of the DHS SSI Oversight Committee provides a 
mechanism for interagency coordination. 

• The SSI Office shares its guidance with other DHS components so 
that program managers can create customized training programs that 
will meet the needs of their staff. 

• According to TSA officials, additional funding would allow the SSI 
Office to provide more training and to create a national conference for 
SSI coordinators. 
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Objective #2-Training for Those Who 
Generate and Use SSI 

Data Quality Assurance and Continuous Performance Improvement : establish policies to 
collect quality data and use these data to evaluate the training program, and foster a culture of 
continuous improvement by assessing and refining the training program. 

• The SSI Office provides all DHS staff that complete live SSI training with a training 
evaluation form to evaluate both the content of the training and the quality of instruction. 

• During its process of responding to requests to release SSI. the SSI Office evaluates the 
accuracy of designations made oy various DHS agencies. If the SSI Office finds that the 
information has been inaccurately identified as being SSI, it can contact the DHS agency 
that made the original designation to identify the error. This allows DHS agencies to follow 
up with refined training to correct the problem as necessary. 

• The SSI Office began conducting audits within TSA in September 2007 to evaluate whether 
SSI is being appropriately marked and protected at various airports. The SSI Office invited 
other program managers to attend the audits so that lessons learned from the audits may 
be incorporated by other DHS agencies. 

The aspects of the SSI training program evaluated in this study are consistent with GAO 
identified components of a high-quality training program. 
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Objective #3-Processes for Responding to 
Requests to Release SSI 

Between February 2006 and January 2007, the SSI Office received 490 
requests to review records pertaining to the release of SSI. For January 
2007 through April 2007, the SSI Office reported the percentage of the 
total requests to review records by each type of request it processes, as 
follows: 

1 . requests from government entities (62 percent); 

2. FOIA requests that may contain SSI (30 percent); and 

3. requests from individuals in connection with litigation, including 
civil proceedings, within U.S. District Courts (8 percent). 12 

On most occasions, the SSI Office is able to respond to all types of 
requests within 7-14 days. TSA documentation indicates that the SSI 
Office is able to meet this goal in 92 percent of all requests. The SSI 
Office stated that it is not able to complete all requests within its 7-14 
days due to the size and complexity of certain requests, as well as the 
client's needs and the SSI Office's workload. 

rz According to TSA, additional programming to the SSI Office database would be required to show the percentage for the three types of 

SSI requests (litigation, FOIA, and other) tor February 2006 -January 2007. 24 
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Objective #3-Requests for SSI by 
Government Entities 



Requests for SSI from government entities can include 
requests from federal, state, local, or tribal governments. 

The SSI Office works with the requesting government entity 
to agree upon a time frame for processing the request. 

All requests for SSI, including requests from government 
entities, are reviewed by the SSI Office through a nine-step 
process (see attachment II for more details on this process). 
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Objective #3-Requests for SSI through the 
Freedom of Information Act 



The SSI Office has established a process for reviewing information 
requested through the FOIA process in 5 days, unless the request contains 
more than 100 pages. 

The SSI Office and FOIA Office coordinate to establish deadlines for FOIA 
requests that contain more than 100 pages. 

Officials from the TSA FOIA Office stated that the SSI Office responds to 
FOIA requests in a timely manner. 

The SSI Office has provided training to the department's FOIA Office staff 
members so that they can make basic determinations on whether a FOIA 
request might include SSI. 
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Objective #3-Process for Responding to Requests 
to Release SSI That Is at Least 3 Years Old 



• The information that should be designated as SSI, based on the application of 
the current identification (ID) guidance, may change over time, given changing 
circumstances. For example, Trie TSA Administrator may decide to publicly 
disclose information previously designated as SSI to increase public awareness 
of an issue or security program. 



• At the time of a reguest to release SSI, all requested information is to be 
reviewed against the SSI categories and current precedents for applying each 
category. This process is to occur with all requested SSI, regardless of the age 
of the information. 



• According to SSI Office officials, the content of the information being requested 
is the relevant factor to be considered, not the age of the information. 



• All SSI that is at least 3 years old that does not warrant continued protection as 
SSI is released upon request. 




AGAO 

™S^™ Accountability ■ Integrity ■ Reliability 



Objective #3-Requests for SSI during Civil 
Proceedings 



According to TSA's Office of Chief Counsel, persons who do not otherwise have a "need to 
know" sought SSI 48 times in connection with civil proceedings since TSA was established. 
Since the enactment of Public Law 109-295 in October 2006, 9 such requests for SSI have been 
made in connection with civil proceedings. 

Prior to the passage of Public Law 1 09-295, TSA did not jpermit SSI access in civil proceedings 
by persons who did not otherwise have a need to know. TSA did submit SSI to courts for in 
camera review. 13 

Section 525(d) of Public Law 109-295 prescribes steps that must be taken during the course of a 
civil proceeding in the U.S. District Courts when a party seeking access to SSI demonstrates a 
substantial need for the information and that it cannot, without undue hardship, obtain the 
substantial equivalent of the information by other means. 

Since the enactment of this provision, one litigant has requested that TSA make a final 
determination on a request for SSI access in connection with civil proceedings. TSA complied 
with this request and, in accordance with the law, issued a final determination releasing some of 
the requested SSI while withholding other SSI because of the sensitivity of the information or 
because it was not relevant to the litigation. 
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Objective #3-Requests for SSI during Civil 
Proceedings 

According to TSA documentation: 

• If TSA or the judge decides that a party in a civil proceeding has demonstrated that it has a 
substantial needlor relevant SSI and tnat it is unable without undue hardship to obtain the 
substantial equivalent of the information by other means, and if TSA or the judge has determined 
that the sensitivity of the SSI at issue does not present a risk of harm to the nation TSA will 
begin a background check of the requesting party or the party's attorney who has been 
designated to view the SSI. 

• Once TSA has received a party's payment to conduct the background check, and the party has 
completed an SSI threat assessment questionnaire and been fingerprinted, it takes 
approximately 3 weeks to complete the background check. 

• If TSA determines that there is risk to the nation to provide a party or a party's attorney with SSI 
based on the results of the background check, TSA will deny the applicant's request. At that time, 
the party may designate a new attorney to access SSI on its behalf. If this occurs, TSA will 
conduct a background check on the new attorney. 

• The determination of whether SSI will be released to a party in civil proceedings is a joint 
determination made by TSA's Office of Chief Counsel and the SSI Office. 
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Objective #3-SSI Office Efforts to Establish Quality 
Controls for Responding to SSI Requests 



The SSI Office's use of a controlled access database to document the 
completion of its steps in the review of requests to release SSI serves 
as a quality control mechanism. This is achieved by: 

• incorporating controls in the database so that the previous step 
must be documented before information can be entered in the next 
step of the review process; and 

• requiring that a senior analyst within the SSI Office approve the 
SSI review and document his or her approval in the database prior 
to releasing information formerly protected as SSI. 

TSA is also currently drafting a Notice of Proposed Rulemaking in 
anticipation of establishing its processes and procedures for 
responding to requests for SSI during civil proceedings. 
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Objective #4-DHS SSI Internal Controls Are 
Consistent with Internal Control Standards for the 
Federal Government 

TSA has established internal controls for SSI and created mechanisms to 
communicate these controls that are consistent with internal control 
standards for the federal government. 14 

Control Environment and Control Activities: areas of authority and 
responsibility to be clearly defined by a supportive management structure 
and controls in place to ensure that management's directives are carried 
out. 

• Areas of authority for the monitoring and compliance of SSI policy are 
outlined in the revised DHS MD (MD 1 1056.1) and other agency and 
departmental guidance. 

• SSI program managers and coordinators have been established in the 
MP to communicate SSI responsibilities with DHS staff. 



4 GAO/AIMD-00-21.3.1. 
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Objective #4-DHS SSI Internal Controls Are 
Consistent with Internal Control Standards for the 
Federal Government 

Monitoring : information is used to assess the quality of program performance over 
time and problems raised during quality reviews are promptly resolved. 

• Controls are in olace to provide oversight for each agency's generation and 
designation of SSI including self-inspection reporting methods. The self- 
inspection process requires SSI program managers and coordinators to, among 

§ther monitoring activities, evaluate a portion or records marked as containing 
ol . 

• Agencies may also utilize audits of the identification and use of SSI. TSA is in 
the process of conducting such an audit. 

• The SSI Office reviews information in response to requests to release SSI, 
regardless of the agency that originally identified the information as SSI. 

The aspects of the SSI internal controls for monitoring activities that we evaluated 
are consistent with internal control standards for the federal government. 
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Attachment #1 -Categories of SSI as 


Established by TSA at 49 C.F.R. § 1520.5(b) 


1 . Security program and contingency plans; 


9. security screening information; 


2. security directives; 


10. security training materials; 


3. information circulars; 


1 1 . identifying information of certain 
transportation security personnel; 


4. performance specifications; 


12. critical aviation or maritime infrastructure 
asset information; 


5. vulnerability assessments; 


6. security inspections or investigative 
information; 


13. systems security information; 


14. confidential business information; 


7. threat information; 


15. research and development; and 


8. security measures; 


16. other information determined to be SSI 
in accordance with the statute (as 
designated in writing by the DHS 
Secretary, the TSA Administrator, or the 
Director of the SSI Office^ 
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Attachment #2-SSI Office's Nine-Step Process 
for Reviewing Document Requests 15 



1) REQUEST: 
requester submits 
record for review 



2) INCOMING: 
logged into the SSI Office 
database and shared drive 
system 



3) ASSIGNMENT: 
request is assigned to 
review team 



4) PLANNING: 
record is 
assessed for 
general content, 
completeness, 



9) RE-EVALUATION: as 
needed, additional review 
work is completed to 
address any requester 
questions or concerns 



5) ANALYSIS: record 
is reviewed for SSI 
and working copy is 
ited 



8) DELIVERY and CLOSE- 
OUT: findings provided to 
requester, file/document 
management completed 



7) PRODUCTION: visible 
redaction and/or 
releasable copies are 
created and quality 



6) APPROVAL/ 
FINAL REVIEW: 
review findings are 
finalized 



,b GAO analysis of information provided by the TSA SSI Office. 
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